Unpatched Zero-Day Access Vulnerability For MS Windows Remains For Over A Month
By: Jim Stickley and Tina Davis
January 3, 2022
Microsoft Windows, like many other operating systems, has had its share of ongoing security flaws. For starters, this recent zero-day installer flaw allows an attacker to enter a Windows system unnoticed by security software and gain local access privileges. Within seconds, this can escalate to the attacker having administrator privileges. This level of access allows multiple malicious activities by attackers, including malware infections on all devices linked to the same Windows network.
Now that a security researcher publicly exposed the continuing exploit, Microsoft has yet to release a patch for this zero-day flaw that truly works, all while its users are still at risk. This vulnerability affects all versions of Microsoft windows, even those fully patched and up-to-date, including Windows 10, 11 and Windows Server 2022.
Patch Tuesday Fail
In November’s Patch Tuesday, a monthly event where software companies choose to publicly release security flaw fixes, Microsoft released their fix for the “Windows Installer Elevation of Privilege Vulnerability” (CVE-2021-41379). At least they thought they fixed it. Microsoft’s Patch Tuesday release, according to the security researcher who flagged this zero-day flaw, didn’t properly patch the zero-day access to begin with. He also finds “this variant is more powerful than the original one.” His proof of concept (PoC) exploit code shows the original patch failed, also proving the exploit still exists and is likely more dangerous than the original.
In response to an inquiry by BleepingComputer, a Microsoft spokesperson comments “We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine.”
Patch Watch Advised
Since Microsoft is still on the hook for a patch that truly fixes this zero-day exploit, security experts hope it’s a quick fix that doesn’t wait for the next Patch Tuesday, but instead is released before then. The company may choose to publicly alert its users if an emergency patch is available, but there’s always a chance they won’t. Instead, users should keep tabs on Microsoft’s Security Notification Service web page that provides links to their security software updates. The patch update may first be released there before any notification is made public.
In addition, Rapid7 researchers did find that some anti-malware programs can detect an exploit of this. So, keep those programs updated as well.
Fortunately, security experts believe there’s been no large-scale attempt to abuse this zero-day access flaw, as of writing.